In vSphere 7.0 Update 1 and later, you can activate Secure Encrypted Virtualization-Encrypted State (SEV-ES) on supported AMD CPUs and guest operating systems.

Currently, SEV-ES supports only AMD EPYC 7xx2 CPUs (code named "Rome") and later CPUs, and only versions of Linux kernels that include specific support for SEV-ES.

SEV-ES Components and Architecture

The SEV-ES architecture consists of the following components.

  • AMD CPU, specifically, the Platform Security Processor (PSP) that manages encryption keys and handles encryption.
  • Enlightened operating system, that is, an operating system that uses guest-initiated calls to the hypervisor.
  • Virtual Machine Monitor (VMM) and Virtual Machine Executable (VMX), to initialize an encrypted virtual machine state during virtual machine power-on, and also to handle calls from the guest operating system.
  • VMkernel driver, to communicate unencrypted data between the hypervisor and the guest operating system.

Implementing and Managing SEV-ES on ESXi

You must first activate SEV-ES in a system's BIOS configuration. See the documentation for your system for more information about accessing the BIOS configuration. After you have activated SEV-ES in the BIOS for your system, you can then add SEV-ES to a virtual machine.

You use either the vSphere Client (starting in vSphere 7.0 Update 2) or PowerCLI commands to activate and deactivate SEV-ES on virtual machines. You can create new virtual machines with SEV-ES, or activate SEV-ES on existing virtual machines. Privileges to manage virtual machines activated with SEV-ES are the same as for managing regular virtual machines.

Unsupported VMware Features on SEV-ES

The following features are not supported when SEV-ES is activated.

  • System Management Mode
  • vMotion
  • Powered-on snapshots (however, no-memory snapshots are supported)
  • Hot add or remove of CPU or memory
  • Suspend/resume
  • VMware Fault Tolerance
  • Clones and instant clones
  • Guest Integrity
  • UEFI Secure Boot